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Abstract—Timed automata (TAs) represent a powerful formal- 
ism to model and verify systems where concurrency is mixed with 
hard timing constraints. However, they can seem limited when 
dealing with uncertain or unknown timing constants. Several 
parametric extensions were proposed in the literature, and the 
vast majority of them leads to the undecidability of the EF- 
emptiness problem: “is the set of valuations for which a given 
location is reachable empty?” Here, we study an extension of 
TAs where clocks can be updated to a parameter. While the EF- 
emptiness problem is undecidable for rational-valued parameters, 
it becomes PSPACE-complete for integer-valued parameters. In 
addition, exact synthesis of the parameter valuations set can be 
achieved. We also extend these two results to the EF-universality 
(“are all valuations such that a given location is reachable?”), 
AF-emptiness (“is the set of valuations for which a given location 
is unavoidable empty?”) and AF-universality (“are all valuations 
such that a given location is unavoidable?”) problems. 


I. INTRODUCTION 


Timed automata (TAs) [AD94] represent a powerful for- 
malism to model and verify systems where concurrency is 
mixed with hard timing constraints. TAs are an extension of 
finite-state automata with clocks, i.e., real-valued variables, 
that can be compared to integer constants and updated to 0 
along edges (called reset in the literature). TAs benefit from 
many decidability results such as the reachability of a discrete 
location (and some undecidability results too, such as language 
inclusion). 

Although TAs seem to be able to model many interest- 
ing problems related to timed concurrent systems, several 
extensions were studied. For instance, TAs where clocks 
can be updated to integer constants have been introduced 
in [BDFP04] and interesting decidability results have been 
obtained, depending amongst other restrictions of the nature of 
the clock constraints (e. g., diagonal-free, i. e., whether clocks 
are compared to each other) and the updates of clocks (e. g., 
whether it is allowed to update a clock to its current value 
increased by some rational constant). In a different direction, 
stopping the time elapsing of at least one clock in a TA 
gives stopwatch automata, for which the reachability problem 
becomes undecidable [CLOO]. 

Timed automata may turn inappropriate to verify systems 
where the timing constants are subject to some uncertainty, 
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where they can range in intervals, or when they are simply not 
known at some early design stage. Extending timed automata 
with parameters in guards in place of integers gives parametric 
timed automata (PTAs) [AHV93] and alleviates this drawback 
by allowing parameters (unknown constants) in the timing 
constraints. In the PTA literature, the main problem studied 
is the reachability emptiness, or EF-emptiness (“is the set 
of timing parameter valuations for which a given location 
is reachable empty?”): it is “robustly” undecidable in the 
sense that, even when varying the setting, undecidability is 
preserved. For example, EF-emptiness is undecidable even 
for a single bounded parameter [Mil00], even for a single 
rational-valued or integer-valued parameter [BBLS15], even 
with only one clock compared to parameters [Mil00], or with 
strict constraints only [Doy07]. More generally, all non-trivial 
problems are undecidable for PTAs (see [And17] for a survey). 
The unavoidability emptiness where we seek for valuations for 
which some location will always eventually be reached, or AF- 
emptiness (“is the set of timing parameter valuations such that 
a given location is unavoidable empty?”) is also undecidable 
[JLR15]. Similarly EF-universality and AF-universality (“are 
all timing parameter valuations such that...””) are undecidable 
[ALRI6a] for the general class of PTAs, while decidability 
results have been shown for L/U-PTAs [HRSV02], [BL09], 
[AL17]. Formal definitions of these problems are given in 
Section III-C. 


Contribution: We show that extending timed automata 
with parametric updates, i.e., the ability to update a clock 
to an unknown rational constant, leads to the undecidability 
of the four following problems: EF-emptiness, AF-emptiness, 
EF-universality, AF-universality. That is, it is undecidable to 
determine: 


e whether the set of parameter valuations for which a run 
leads to a given location is empty; 

e whether for all parameter valuations there is a run that 
leads to a given location; 

e whether the set of parameter valuations for which a given 
location is unavoidable empty; 

e whether for all parameter valuations a given location is 
unavoidable. 


In contrast, when we restrict the parameters domain to inte- 
gers, all four problems do not only become decidable, but 
we can achieve exact synthesis, i.e., represent the full set 
of valuations for which a run or all runs lead(s) to a given 


location. 

On the one hand, our undecidability results adds to the long 
list of undecidable parametric extensions of timed automata. 

On the other hand, our decidability result enriches the 
notably short list of decidable such parametric extensions: 
the exact synthesis of integer-valued parameters compared as 
upper-bounds to clocks can be achieved [BL09]; the emptiness 
of the valuations set for which a location is reachable is decid- 
able both for rational-valued L/U-PTAs (in which parameters 
are always either upper bounds or lower bounds) [HRSV02], 
and for rational-valued integer-point PTAs, a semantic class for 
which the membership is however undecidable (although we 
exhibited a syntactic subclass, namely reset-PTAs) [ALR16a]. 
And AF-universality is decidable for L/U-PTAs only if the 
parameters are bounded with closed bounds (i.e. of the 
form p € [a,b]). In the three latter cases (i. e., L/U-PTAs 
and integer-point PTAs), exact synthesis cannot be achieved 
though [JLR15], [ALR16a], which makes our synthesis result 
a rarity, together with only [BL09]. 

Finally, our formalism is supported by the parametric model 
checker IMITATOR [AFKS12]. 

Outline: Section II recalls necessary definitions. Sec- 
tion III introduces our formalism of update-to-parameter timed 
automata. Section IV proves our general undecidability result, 
while Section V proves the decidability when parameters 
become integer-valued. Section VI concludes the article and 
outlines future research directions. 


II. PRELIMINARIES 


Let N, Z, Q} and R, denote the sets of non-negative 
integers, integers, non-negative rational numbers and non- 
negative real numbers respectively. 

Throughout this paper, we assume a set X = {21,..., £H} 

of clocks, i. e., real-valued variables that evolve at the same 
rate. A clock valuation is a function w : X — R+. We identify 
a clock valuation w with the point (w(x1),...,w(a)) of 
RẸ . We write 0 for the clock valuation that assigns 0 to all 
clocks. Given d € R,, w + d denotes the valuation such that 
(w + d)(x) = w(x) + d, for all x € X. 
We assume a set P = {p1,...,pm} of parameters, i.e., 
unknown constants. A parameter valuation v is a function 
v : P — Q4. An integer parameter valuation is a valuation 
v : P — N. We identify a valuation v with the point 
(v(pr),--.,v(paz)) of QY. 

In the following, we assume ™ € {<,<,>,>}. 

A parametric guard g is a constraint over XU P defined by 
inequalities of the form x ba z, where z is either a parameter 
or a constant in Z. A non-parametric guard is a parametric 
guard without parameters (i. e., over X). 

Given a parameter valuation v, v(g) denotes the constraint 
over X obtained by replacing in g each parameter p with v(p). 
Likewise, given a clock valuation w, w(v(g)) denotes the ex- 
pression obtained by replacing in v(g) each clock x with w(x). 
A clock valuation w satisfies constraint v(g) (denoted by 
w = v(g)) if w(v(g)) evaluates to true. We say that v 
satisfies g, denoted by v 5 g, if the set of clock valuations 


satisfying v(g) is nonempty. We say that g is satisfiable if 
dw,v s.t. w = v(g). 

A parametric update is a partial function r : X — NUP 
which assigns to some of the clocks an integer constant or 
a parameter. For v a parameter valuation, we define a partial 
function v(r) : X — Q, as follows: for each clock x € X, 
v(r)(x) = k if r(x) = k € N and v(r)(x) = v(p) € Q, if 
r(x) = p a parameter. For a clock valuation w and a parameter 
valuation v, we denote by [w],(,) the clock valuation obtained 
after applying v(r). 


III. UPDATE-TO-PARAMETER TIMED AUTOMATA 


Timed automata [AD94] are an extension of finite-state 
automata augmented with clocks that can be compared to 
(usually) integer constants in guards (along edges), and that 
can be updated (usually) to 0 along edges. We extend this 
formalism by allowing clocks to be updated to parameters. 


A. Syntax 


Definition 1 (U2P-TA). An update-to-parameter timed au- 
tomaton (U2P-TA) À is a tuple A = (£, L, lo, X, P, E), where: 

1) X is a finite set of actions, 

2) L is a finite set of locations, 

3) lo € L is the initial location, 

4) X is a finite set of clocks, 

5) P is a finite set of parameters, 

6) E is a finite set of edges e = (l, g,a, r,l) where 1,1’ € L 
are the source and target locations, g is a non-parametric 
guard, a € X andr: X — NUP is a parametric update 
function. 


In a concurrent setting, timed automata can be synchro- 
nized on shared actions. It is well-known that the product of 
several TAs gives a TA (see e. g., [Mil00]). Moreover, real- 
time physical systems modeled with TAs can be implemented 
and timed properties checked using e. g., Uppaal [BLL*95] 
or IMITATOR [AFKS12]. Similarly, our U2P-TAs can be 
synchronized the same way, and their product gives a U2P-TA. 
Their implementation is discussed in Section V. 


Example 1. Consider the U2P-TA in Fig. 1c with five loca- 
tions, four clocks (x, y, z and t) and three parameters (p,n, PA, 
pp). Observe that all three parameters are used in an update 
along the edge from lo and l4. 

As a motivating toy example, consider the case of a PhD 
student aiming at obtaining the authorization of her/his uni- 
versity in order to defend before December (assuming the 
system is starting at any moment). Two committees need 
to give their authorization sequentially (A then B), and the 
student must bring both authorizations to the administration 
two months ahead of the defense. Committee A (resp. B) 
meets periodically every two (resp. three) months, which is 
depicted in Figs. la and 1b, assuming time units are months. 

The student workflow is modeled by the U2P-TA in Fig. 1c, 
synchronizing with both committees using actions comA and 
comB (clock x is shared between committee A and the student 
automaton, while 7 is shared between B and the student). 


r=2 y=3 comB comA comA,comB , > 9 
ie atar At = 12 
g= CER start comA comB defend 
(to) (li - - (lo l3 
t := Dm z:=0 
T := PA 
© © E 


(a) Committee A (b) Committee B 


(c) A PhD student’s defense workflow 


Fig. 1: A motivating example of U2iP-TA 


First, the student starts the process at time pm, using the 
parametric update t := pm. At the same time, we set the 
current clock of both committees to an unknown time; that 
is, assuming pa € [0,2] and pp» € [0,3], the last occurrence 
of committee A (resp. B) is pa (resp. ppg) or, put differently, 
the next occurrence of committee À is 2 — p4 (resp. 3 — pp). 
This allows us to analyze symbolically the system, by setting 
the clock ż, that acts as a global timer, to the accurate student 
start date p,,,, while assuming an unknown situation of the 
two periodic committees. Then, the student waits for the next 
commission A, and gets the authorization, moving to loca- 
tion l2; then, (s)he waits for the next commission B, and gets 
the authorization, moving to location l3. Finally, (s)he waits 
two more months (using z > 2) and defends in December 
(encoded by t = 12) in location l4. The synchronization on 
comA and/or comB on self-loops allows the system to remain 
non-blocking. 

The purpose of this analysis is to understand when in the 
year the student may start the workflow in order to be able 
to defend in December, depending on the current “offset” of 
the committees. That is, we want to synthesize the parameter 
valuations for pm, pa and pp such that the system may 
eventually reach l4. 


Given a parameter valuation v, we denote by v( A) the 
structure where all occurrences of a parameter p; have been 
replaced by v(p;). If v(A) is such that all constants in updates 
are integers, then v( 4) is an updatable timed automaton (see 
[BDFP04, Section 3.1]). In the following, we simply refer to 
an updatable timed automaton as a timed automaton. In the 
following, we consider a timed automaton any structure v(.A), 
by assuming a rescaling of the constants: by multiplying all 
constants in u(A) by their least common denominator, we 
obtain an equivalent (integer-valued) timed automaton. 

A bounded U2P-TA is a U2P-TA with a bounded pa- 
rameter domain that assigns to each parameter a minimum 
integer bound and a maximum integer bound. That is, each 
parameter p; ranges in an interval [a;,b;|, with a;,b; € N. 
Hence, a bounded parameter domain is a hyperrectangle of 
dimension M. 


B. Semantics of timed automata 
Let us now recall the concrete semantics of TAs. 


Definition 2 (Concrete semantics of a TA). Given a U2P- 
TA A = (5, L, lo, X,P, E), and a parameter valuation v, the 


concrete semantics of v( A) is given by the timed transition 
system (S, so, —), with 
e. S= {(l, w) ELx RF} » S0 = (Ip, 0) 
e — consists of the discrete and (continuous) delay transi- 
tion relations: 
- discrete transitions: (l, w) 5 (’,w’), if 
(l, w), (U, w) € S, there exists e = (l, g,a,r, l’) € E, 
w = [wly(r), and w E g. 
— delay transitions: (l, w) 4 (l w+ d), with d € R4, if 
Vd' € [0,d], (l, ,w +d’) € S. 


Moreover we write (l, w) —+ (l', w’) for the combination 
of a delay and a discrete transition where ((/, w), e, (l, w’)) € 
> if Jd, w" : (w) 4 (uw) (Uw). 

Given a TA v(.A) with concrete semantics (S, sọ, —), we 
refer to the states of S as the concrete states of v(A). 
A (concrete) run of v( A) is a possibly infinite alternating 
sequence of concrete states of v( A) and edges starting from 
the initial concrete state so of the form so <> sı — ++» 
Sm £m, ..., such that for all à = 0,1,...,e; € E, and 
(Si, €i, Si+1) € —. Given a state s = (l,w), we say that s 
is reachable (or that v( A) reaches s) if s belongs to a run 
of v( A). By extension, we say that l is reachable in v(A), if 
there exists a state (l, w) that is reachable. 

Throughout this paper, let K denote the largest constant in a 
given U2P-TA, i. e., the maximum between the largest constant 
compared to a clock in a guard or used in an update, and the 


largest bound of a parameter (if the U2P-TA is bounded). 


C. Problem 


In this paper, we address the two following problems, 
given P a class of problems (e. g., reachability, unavoidability, 
TCTL model-checking): 

P-emptiness problem: 

INPUT: a U2P-TA A and an instance ¢ of P 

PROBLEM: is the set of valuations v such that v(A) 
satisfies @ empty? 


P-universality problem: 
INPUT: a U2P-TA À and an instance ¢ of P 
PROBLEM: are all valuations v such that v(A) satisfies ø? 


We mainly focus on reachability (EF) and unavoidability 
(AF) [JLR15]. EF-emptiness asks, given a U2P-TA A and 
a location | whether the set of valuations v such that there 
is a run in v(A) reaching l is empty? It is equivalent to 


AG-universality [And17]. More formally, the problem can be 
written as {v | Iso + (h, wi) <> --- ¥ (Lw) a run of 
v(A)} = 0? 

AF-emptiness asks, given a U2P-TA A and a location l 
whether the set of valuations v such that all runs in v(4) 
reach | is empty? It is equivalent to EG-universality [And17]. 

EF-universality asks, given a U2P-TA A and a location l 
whether all valuations v are such that there is a run in v(A) 
reaching l? It is equivalent to AG-emptiness [And17]. 

Finally, AF-universality asks, given a U2P-TA A and a 
location ! whether all valuations v are such that all runs in 
v(A) reach 1? It is equivalent to EG-emptiness [And17]. 

Beyond the theoretical decision problems above, an ultimate 
goal is the following computation problem. 


P-synthesis problem: 

INPUT: a U2P-TA A and an instance ¢ of P 

PROBLEM: compute the set of valuations v such that v( A) 
satisfies 


Note that if EF-emptiness is undecidable, there is no hope 
for a useful and effective EF-synthesis procedure. 


IV. UNDECIDABILITY 


In this section, we show that our extension of TAs with 
parametric updates leads to the undecidability of the EF- 
emptiness problem. 

We show that any bounded (rational-valued) PTA can be 
transformed into a U2P-TA, and therefore that U2P-TAs are 
at least as expressive as (bounded) PTAs for which the EF- 
emptiness is known to be undecidable [Mil00]. 

Let us first recall PTAs [AHV93]. 


Definition 3 (PTA). A parametric timed automaton (PTA) is 
a U2P-TA such that 
1) every update function is a non-parametric update func- 
tion; 
2) guards along edges may be parametric guards. 


Given a PTA A and a valuation v, we denote by v( A) the 
structure where all occurrences of a parameter p; have been 
replaced by v(p;). If v( A) is such that all constants in guards 
are integers, then v( A) is a timed automaton. Again, as for 
U2P-TA, given a PTA A, we may denote as a timed automaton 
any structure v( A), by assuming a rescaling of the constants. 
The semantics of PTA is identical to that of U2P-TA, since 
it is given in Definition 2 for a valuated PTA, i.e., a timed 
automaton. 

The main idea of our proof is as follows: suppose that, in a 
PTA, we want to measure a (parametric) duration p. Then we 
can update a clock x to 0 and then test it with a guard x = p. 
But provided we know an upper bound K on p, we could, with 
a U2P-TA, update clock x to K — p and test it with a guard 
x = K instead. Now, since we do not allow linear expressions 
in updates, we instead replace K — p with a new parameter 
p' and prove that the existence of a valuation for p’ in the 
U2P-TA such that the property holds, is equivalent to that of 
a valuation for p in the initial PTA. This idea extends to other 


comparison operators than = and its practical development 
requires a few clock and parameter duplications. 

Let À = (©, L, lo, X, P, E) be a bounded PTA and K its 
largest constant. Let us define the following U2P-TA: A’ = 
(£, LU {1p}, UG, X’, P’, E’), which has the same actions as A. 
For each x € X, X’ contains x and a duplicate Xp for each 
parameter p to which x is compared in A. P’ contains all 
parameters in P, as well as one extra parameter per clock 
in X; given a clock x € X, we denote by p, its corresponding 
extra parameter in P’. 

Let us now build FE, initially containing all edges of E, 
and then modified as follows. Let x be a clock. Let e = 
(l1,9,a,r,l2) be an edge of A. If r(x) = 0, we perform the 
following modifications: first, we also update x, to py along e, 
i.e, T(tp) = Pz. In addition, for any edge e’ comparing 
clock x to parameter p in its guard, we replace x © p with 
x > K. All other updates and non-parametric guards remain 
unchanged. Finally, we add one additional location 1) to the 
locations L of A, which will be the new initial location, and 
one new additional edge from Jj to the former inital location lo 
of A, with guard x = 0 for any clock x € X and which updates 
for all clock x € X, xp to pe. 


Example 2. An example of this construction is shown in 
Fig. 2, where we assume that p1 is bounded in [2,5] and 
p2 € [0,12]--therefore K = 12. For example, 12 — pj, plays 
the role of pı, and 12 — po, plays the role of po. 


Since the initial sets of clocks X and P are finite and our set 
of linear constraints is finite, we only add a finite number of 
clocks and parameters to the new automaton. Finally, Agzp is 
a U2P-TA. We denote by Arp = UtP(A) this transformation. 

Note that our transformation adds to the initial system in the 
worst case one parameter and one clock for each comparison 
to a parameter, i. e., |P’| + |X’| < |P| + |X| + 2 x |P| x |X]. 

In order to show that EF-emptiness is undecidable for 
U2P-TA, we prove the following behavior: a goal location 
is reached by a run in a U2P-TA À, if and only if there is a 
run in UtP(A) reaching it. 

Consider the automaton presented in Fig. 3a. Given a 
parameter valuation v(p), we duplicate the clock x to £p 
and update it to p, where x is updated to 0. When x is 
compared to p, we replace this comparison by x, compared 
to pz, providing the automaton presented in Fig. 3b. During 
an execution of Fig. 3a accessing l2, the time elapsed since 
the update of x until its comparison to p is v(p). During 
an execution of Fig. 3b accessing l2, the time elapsed since 
the update of x, until its comparison to py is K — v(pz). 
We define the parameter valuation v’(p) = K — v(p;). With 
this construction, there is a parameter valuation v such that 
there is a run from lọ to l2 in Fig. 3a iff there is a parameter 
valuation v’ as defined such that there is a run from lọ to lo 
in Fig. 3b. 


Proposition 1. Let A be a bounded PTA, K its maximum 
constant, v be a parameter valuation, and v' = K — v. Let l 
be a goal location. 
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Fig. 2: A bounded PTA À (above) and its equivalent UtP(.4) (below) 
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(b) An U2P-TA UtP(A) 


Fig. 3: A PTA A and its equivalent UtP(A) 


There is a run in v(A) reaching | iff there is a run in 


v'(UtP(4)) reaching l. 


Proof. Let p be a finite run of v( A) ending in a concrete state 
(l, w) and let o = e1 . . . en be the corresponding sequence of 
edges taken by p. We build by induction on n, a run p’ in 
vu’ (UtP(A)) ending in a concrete state (l, w’) such that for all 
x € X,w'(x) = w(x) and for all clock x’ € X’ \ X, w’ (xp) = 
K — v(p) + w(x). 

If n = 0, then p’ consists only of the additional initial 
edge of UtP(.A), which clearly sets all clocks to the adequate 
values. 

Suppose now that we have built p’ for size n and consider 
a run p with n+ 1 edges. Then p consists of a run pı, ending 
in (l1, w1) with n edges followed by a delay d and finally a 
discrete transition along the last edge e. From the induction 
hypothesis, we can build an equivalent run p) in UtP(A) 
ending in (l, w1), such that for all x € X, w1 (x) = w(x) 
and for all clock x, € X’ \ X, wi (zp) = K — v(p) + wi(x). 
Let we (resp. w4) be the clock valuation obtained in A (resp. 
UtP(.4)) after the delay d. By construction, the part of the 
guard of e comparing clocks in X to constants is satisfied by 
We since it is the same as in A. Further, for each clock x € X, 
such that x ba p along e in A, we have instead x, > K along 
the modified e in UtP(A). But w5(a,) = K—v(p)+w2(x), so 
the latter comparison is equivalent to K — u(p) +w2(x) © K, 
i.e., w(x) ba v(p). So, since the guard is satisfied in A by 
Wg, the corresponding guard is satisfied in UtP(A) by w%. 
Then clocks in X are updated normally, and for all clocks 
£p € X’ \ X, we have an update to u'(p,) = K — v(p), which 
concludes the induction. 

The other direction, starting from a run in UtP(A), is 
similar. 


Theorem 1. The EF-emptiness problem is undecidable for 
bounded U2P-TAs. 


Proof. From the undecidability of EF-emptiness for bounded 
PTAs [Mil00]. 


We now show that this result can be extended to the full 
class of (unbounded) U2P-TAs. 


Theorem 2. The EF-emptiness problem is undecidable for 
U2P-TAs. 


Proof. Similarly to the proof of [ALR16b, Proposition 8], we 
claim that a bounded U2P-TA can be easily simulated using 
an unbounded U2P-TA. We present a gadget in Fig. 4 that 
uses two clocks (that can be clocks used by the PTA) and 
two transitions that can be added before the initial location 
of any unbounded U2P-TA, and ensures a parameter p is 
bounded, i. e., given two integer constants min and max we 
have p € [min, maz]. We need one gadget per parameter; 
these gadgets can be branched sequentially before the initial 
location of an unbounded U2P-TA, and all clocks must be 
updated to 0 before entering the initial location. 

The gadget works as follows: when taking the first transition 
from lo to l4, clock x is updated to p and clock y to 0. The 
transition from lı to lj can be taken if and only if in a 0- 
delay ensured by the guard y = 0, we have that x < maz 
and min < x. This means there is a run from lọ to lə if 
and only if there is a parameter valuation v such that min < 
v(p) < maz, which in other words means that the parametric 
domain is bounded. 

As from Theorem 1 the EF-emptiness problem is undecid- 
able for bounded U2P-TA, and as any bounded U2P-TA can be 
expressed using a U2P-TA, we conclude that the EF-emptiness 
problem is undecidable for unbounded U2P-TA. 


Corollary 1. The AF-emptiness problem is undecidable for 
U2P-TAs. 


Proof. The AF-emptiness problem is undecidable for PTAs as 
it is proven undecidable for one of its subclasses in [JLR15]. 
Since we can encode a PTA into a U2P-TA, it is undecidable 
for the former. 


Corollary 2. AF, EF-universality problems are undecidable 
for U2P-TAs. 


Proof. In [ALR16a], EG, AG-emptiness problems are proven 
undecidable for PTAs. As AF, EF-universality are their equiv- 


min < x < maz, y = 0 
© © 
æ:=0 


L:=p,y:=0 


Fig. 4: A gadget that ensures a parameter p is bounded by min and maz 


alent respectively, they are also undecidable for PTAs, and 
therefore for U2P-TAs. 


V. DECIDABILITY 


Let us now show that, when parameters are restricted 
to (unbounded) integers, the EF-emptiness problem becomes 
PSPACE-complete. 

If parameters in an U2P-TA only have (possibly unbounded) 
integer valuations, we say it is an U2iP-TA. Note that once 
valuated by an integer parameter valuation v, an U2iP-TA is an 
updatable timed automaton with updates to integer constants, 
as defined in [BDFP04, Section 3.1]. Hence clock regions are 
still topical in this context [BDFP04, Section 5.1]. Let us recall 
the notion of clock region [AD94]. Given a clock x and a 
clock valuation w, recall that | w(x)] denotes the integer part 
of w(x) while frac(w(x)) denotes its fractional part. 


Definition 4 (clock region). For two clock valuations w and 
w’, ~ is an equivalence relation defined by: w ~ w’ iff 
1) for all clock x, [w(a)| = |w'(x)| or 
w(x), w (x) > K; 
2) for all clocks x,y with o 
frac(w(y)) iff Faal 
3) for all clock x with ne : K, 
frac(w'(x)) = 0. 
A clock region Re is an equivalence class of ~. 


either 


nen = 


Two clock valuations in the same clock region reach the 
same region by time elapsing, satisfy the same guards and 
thus can take the same transitions [AD94]. 


Theorem 3. The set of parameter valuations for which a given 
location is reachable is effectively computable for U2iP-TA. 


Proof. We first need an intermediate lemma: 


Lemma 1. Let A be an U2iP-TA. Let K be the greatest 
constant in À. Let l be a goal location. Let v,v' be two 
rational parameter valuations s.t. for all parameter p, ei- 
ther v(p) = v' (p) or v(p) > K and v'(p) > K. There is a run 
in v( A) reaching (l,w) iff there is a run in v'(A) reaching 
(1, w’) s.t. at each state, two clock valuations of p and p' are 
in the same clock region and location. 


Proof. By induction on the length of the run. Let v, v’ be such 
parameter valuations. 

For a run of length 0 of v(A), there is a run of length 0 of 
vu’ (A) reaching the initial location. If there is a run of length 0 
of v' (A), there is a run of length 0 of v( A) reaching the initial 
location. 

Now, suppose the result holds for every run of length t. 
Assume a run of v(A) of length à + 1, with a prefix p of 
length à reaching (1;,w;) followed by a state obtained using 


edge e = (l;,g,a,r,li41). That is, the run is of the form 
p — (li, Wii). 

By induction hypothesis, let p’ be a run of v’(.A) reaching 
(li, wi) s.t. at each state, two clock valuations of p and p’ are 
in the same clock region and location. 

Now if for all clock x, no w;(x) is the result of a 
parametric update, then trivially w; = g and as w; ~ wi, 
w! = g. Alternatively, suppose for some x and parameter p, 
we have w;(x) = v(p). If v(p) < K +1 and w; E g, 
since v’(p) = v(p) then as w; ~ wi, w: = g. If v(p) > K +1 
and w; = g, since u'(p) > K +1 then as w; ~ wi, wh = g. 
We treat the case of multiple updates of clocks to parameters 
in e the same way. Finally, we can take the transition e with 
the same delay. Hence —> (1; 41, w/,,) is a run of v'(A) of 
length à + 1 reaching l;+ı with the same actions, locations, 
delays and at each state, two clock valuations of p and p’ are 
in the same clock region and location. 

The other way is a direct consequence of the previous 
paragraph and the definition of the clock regions. 


We can now go back to the proof of Theorem 3. Let A 
be an U2iP-TA and K be the greatest constant in A. Now 
let v be a (integer) parameter valuation. Since v( A) is an 
updatable timed automaton, the reachability of a given state 
(1,w) is decidable [BDFP04, Section 5]. It is sufficient to 
enumerate all integer valuations s.t. for each parameter p, 
v(p) < K +1. Indeed, from Lemma 1 a parameter valuation v 
with v(p) > K + 1 allows to take the same transitions and 
reach the same guards as the parameter valuation v’ s.t. for 
all p' A p, v(p') = v'(p') and v'(p) = K + 1 so we can 
replace such parameter valuations by a valuation v’ as defined 
previously. In conclusion, there is a finite number of parameter 
valuations to test to obtain the full set of valuations for which 
the goal location is reachable. 


Proposition 2. The EF-emptiness problem is PSPACE- 
complete for U2iP-TAs. 


Proof. Since we can synthesize exactly the set of parameter 
valuations for which the goal location is reachable using 
Theorem 3, the decidability of the EF-emptiness follows 
immediately. 

Let us now have a look at the complexity of the EF- 
emptiness problem for U2iP-TA. First, since a TA is a special 
case of U2iP-TA with no parametric update, we have the 
PSPACE-hardness for EF-emptiness in our U2iP-TA [AD94]. 
Now, let G be a set of goal locations of A. Consider the non- 
deterministic Turing machine that: 

1) takes A, G and K as input 

2) non-deterministically “guesses” an integer valuation v 

bounded by K + 1 and writes it to the tape 


3) overwrite on the tape each parameter p by v(p), giving 
the updatable TA v(A) 

4) solves reachability in v( A) for G 

5) accepts iff the result of the previous step is “yes”. 

The machine accepts iff there is an integer valuation v bounded 
by K +1 and a run in v(A) reaching a location | € G. 

The size of the input is |A| + |G| + |K], using |.| to 
denote the size in bits of the different objects. There are at 
most (K + 1)" possible valuations, where M is the number 
of parameters in A. Storing the valuation at step 2 uses at 
most M x |K + 1| additional bits, which is polynomial w.r.t. 
the size of the input. Step 4 also needs polynomial space 
from [BDFP04]. So globally this non-deterministic machine 
runs in polynomial space. Finally, by Savitch’s theorem we 
have PSPACE = NPSPACE [Sav70], and the expected result. 


The following result is direct from Theorem 3: 


Corollary 3. The EF-universality problem is decidable for 
U2iP-TAs. 


Proof. Using Lemma 1 (see proof of Theorem 3) given an 
U2iP-TA A and its greatest constant in A, there is a finite 
number of parameter valuations to test. Therefore given a goal 
location l, it is sufficient to test whether for all parameter 
valuations, there is a run reaching l in the valuated instance 


of A. 


We state also the two following corollaries that fulfill the 
last unknown decision problems considered in this paper for 
U2P-TAs. 


Corollary 4. The set of parameter valuations for which a 
given location is unavoidable is effectively computable for 
U2iP-TA. 


Proof. Let A be an U2iP-TA and v a parameter valuation. 
AS we use in our construction the same clock regions as 
in [AD94], suppose there is a run in v(A) reaching a loca- 
tion l, then all runs going through the same clock regions are 
equivalent—they satisfy the same guards, and end in the same 
region after an update and after letting time elapse. Moreover, 
using the construction of the region automaton of [AD94], it is 
sufficient to test whether all runs in the region automaton of A 
reach l, which are in finite number. Using the same reasoning 
as in the proof of Theorem 3 we obtain our result. 


Corollary 4 leads to the decidability of the AF-emptiness 
problem. Following the same reasoning as in Theorem 3, we 
state the last but not least result of this paper: 


Corollary 5. The AF-emptiness and AF-universality problems 
are decidable for U2iP-TAs. 


Proof. Given an U2iP-TA A and using the same reasoning as 
in the previous proof and the region automaton of [AD94], 
we can test whether all runs in this region automaton reach J, 
which are in finite number. As there is a finite number of 


parameter valuations to test, we can compute the set of param- 
eter valuations such that all runs reach / (i. e.,, AF-synthesis) 
from Corollary 4. Testing the emptiness of the obtained set 
of parameter valuations gives AF-emptiness. Given a goal 
location l, it is sufficient to test whether for all parameter 
valuations, there is a run reaching l in the valuated instance 
of A to decide AF-universality. 


Implementation in IMITATOR 


U2P-TAs (and naturally U2iP-TA) are supported by IMITA- 
TOR [AFKS12], a parametric model checker taking as input 
extensions of parametric timed automata. 

Passing Example 1 as input and using the reachability 
synthesis algorithm, IMITATOR synthesizes the following con- 
straint: 


PB +4 > Pm ADB > pa +1ApB <3 
V 
Pm < PB+TApA <2ApB <pA+l 


The first conjunction of inequalities states that, if the com- 
mittee B is the next to meet (which is encoded by pp > p4+1, 
and could also be written as 3 — ps < 2 — pa), then the 
month p, at which the student starts the process should be 
less than 4 plus the number of months since the last occurrence 
of committee B. (The last inequality simply recalls that pp is 
less than or equal to 3). The second conjunction of inequalities 
states that, if the committee A is the next to meet, then the 
month pm, at which the student starts the process should be 
less than 7 plus the number of months since the last occurrence 
of committee B. 

For any such valuation, there exists a run of the system 
(i. e., a configuration of the committees dates respecting their 
respective periods) such that the student may defend in De- 
cember. Also note that, if we add proper invariants!, then the 
system becomes completely deterministic and the valuations 
for which there exists a run reaching l4 are also such that all 
runs reach l4 (since there exists only one run), and therefore 
the student is guaranteed to be able to defend in December 
for any of these valuations. 

We can also study a situation where the system is only 
partially parameterized: assume p,,, = 6, i. e., the student will 
start the process in June in any case. The constraint encoding 
the current state of committees A and B is given by: 


pa <2ApB <pa+l 
V 
ppB22AppS3App2patl 
A graphical visualization (output by IMITATOR) is given in 
Fig. 5a (plain red depicts good valuations, i. e., for which the 
student may defend in December). 


Alternatively, if pm = 9 (i. e., the student starts the process 
in September), then the constraint on p4 and pp is as follows: 


ppBz=2Npa<2Apat+l1= pr 


'Precisely, x < 2 in committee A, y < 3 in committee B, and t < 12 in 
the student automaton. 
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Fig. 5: Graphical visualization in two dimensions of the parameter synthesis of Example 1 


A graphical visualization is given in Fig. 5b. 

Finally note that this entire example is not restricted to 
integer-valued parameters (rational-valued months can be used 
to denote finer time grain, e.g., days or even hours), and 
it therefore falls in the undecidable case of Theorem 1. 
Nevertheless, IMITATOR terminates here with an exact (sound 
and complete) result. 


VI. CONCLUSION 


In this paper we defined two new formalisms to model 
concurrent timed systems with uncertainty: U2P-TA for which 
we proved that the EF-emptiness problem is undecidable, 
even for bounded parameters, and U2iP-TA for which we 
proved that the EF-emptiness problem is PSPACE-complete. 
This discrepancy between integer-valued and rational-valued 
was already spotted in parametric timed automata: the EF- 
emptiness is decidable for integer-valued parameters with 1 
parametric clock (i. e., a clock compared to a parameter in 
at least one guard) and 3 non-parametric clocks [AHV93], 
while it becomes undecidable over rational-valued parame- 
ters [Mil00]. Similarly, the discrepancy between (rational- 
valued) bounded parameters and unbounded parameters is 
reminiscent of the recent result we showed for EG-emptiness 
(“is the set of valuations for which at least one maximal run 
remains in a given set of locations empty?”): this problem 
is decidable for bounded L/U-PTAs (a parameter is either 
used as an upper bound or a lower bound in guards) with 
rational-valued parameters, while it becomes undecidable for 
the full class of L/U-PTAs [AL17]. Furthermore, we extended 
our undecidability results to the EF-universality, AF-emptiness 
and AF-universality problems for U2P-TA, but also our decid- 
ability results to these same problems for U2iP-TA. This paper 
therefore handles a wide range of decision problems for U2P- 
TA. We assume that the decidability could be extended to the 
full TCTL model checking following a similar reasoning. 

The fact that we allow update to parameters in the (pos- 
sibly parametric) timed extensions of finite-state automata is 
quite new and, to the best of our knowledge, has not been 
investigated until now. Despite having an undecidability result 


when the parameter domain is rational, we believe this new 
formalism, improved with parameters allowed in guards, could 
become decidable even over rational-parameters if we add 
a few semantic restrictions. Indeed, reset-PTAs have been 
studied in [ALR16a] and are a promising subclass of PTA 
to extend. For this purpose, we would like to explore PTAs in 
which update to parameters is also allowed, and under which 
conditions the EF-emptiness problem could become decidable. 
Moreover, the semantic restrictions of reset-PTAs (a clock is 
updated to 0 whenever it is compared to a parameter) is in a 
way reminiscent to initialized rectangular hybrid automata (a 
variable is updated whenever its dynamic changes) presented 
in [HKPV98] and it would be interesting to study these 
systems in which we involve parameters. Therefore, extending 
our result to hybrid automata is also an interesting perspective. 
Finally, beyond the toy aspect of Example 1, we believe 
that U2iP-TAs can be used to model scheduling problems for 
real-time systems subject to uncertainty, notably in the tasks 
offsets, as this is where we used parameters in Fig. 1. 
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